求翻译..自己翻译的很痛苦,翻译过来却不明白技术中的知识点,希望能得到帮助,急求! 实在不行,能告诉我这是哪本书中的知识点,或者相对应的汉语书籍是什么都可以,急求!
Researchers recognized early on that negotiation strategies that directly disclose credentials may leak information about credentials and policies that are never disclosed. By observing the behavior of a party, one may also be able to determine what strategy they are using, which can be used as leverage in extracting additional information. We describe some of these leaks in this section.
A credential may contain more information than needed to satisfy a policy .For example, Alice can prove that she is over 21 by presenting a digital driver’s license. However, the license also gives her home address, exact date of birth, weight, and other details that are not needed to prove that she is over 21. To address these shortcomings, researchers have proposed versions of digital credentials that allow one to hide information that is irrelevant to the negotiation at hand, such as Alice’s home address [29, 60]. More sophisticated (and more expensive) schemes provide even more privacy, by avoiding direct disclosure of credentials. For example, Alice can prove that she is over 21, without disclosing her exact age [16, 17, 30, 15, 39]. These schemes allow Alice to prove to Bob that she has the properties specified in his policy, without Bob learning exactly what properties she has. For example, in the pharmacy example, Bob might learn that Alice is authorized to place an order, without learning who her doctor is. Bob only learns that Alice has some combination of properties that satisfy his policy.
Often, possession or non-possession of a sensitive credential is itself sensitive information. For example, suppose that Alice is a CIA employee, and Bob is looking for people who might be such agents. Bob might query people for their CIA credentials. Even if Alice has a policy to protect the credential, her response for Bob’s credentials on receipt of such a request can indicate that she has the credential. In other words, a request for such a credential may cause the recipient to issue counter-requests for credentials needed to satisfy disclosure of the sensitive credential. This, in turn, may indicate that the recipient possesses the sensitive credential. Non-possession may also be sensitive, and termination of a negotiation upon request for a credential can indicate non-possession.
If the value of an attribute in a credential is sensitive, then it is possible for a principal to determine ownership and value of the attribute by the other negotiating principal based on her replies. For example, suppose that Alice has a sensitive date of birth field in her driver’s license. Now, if Bob’s policy has a constraint on age, and upon receipt of Bob’s policy, Alice responds by asking for any further credentials from Bob, then Bob can assume that Alice has the attribute that satisfies the constraint. By using a scheme similar to inary search, it is possible for Bob to determine Alice’s age, without Alice evealing it to him.
Under many proposed approaches to trust negotiation [14, 62, 68], an attacker can even use a need-to-know attack to systematically harvest information bout an arbitrary set of credentials that are not even relevant to he client’s original request [52]. To do this, the attacker rewrites her policies n such a way that they are logically equivalent to the original policies, but hen used during negotiation, they force the victim into a series of disclosures elated to the credentials being harvested. Once the harvest is over, the egotiation completes as it would have with the original policies.
The most complete solution to these problems is to adopt a negotiation approach hat does not involve direct disclosure of credentials [16, 17, 30, 15, 24,39]. While these approaches vary in the degree of privacy that they provide, all of them can avoid the leaks cataloged in this section. The price of this improved protection, of course, is significantly longer execution times; thus one may wish to reserve these expensive strategies for policies that are particularly sensitive, and use direct disclosure elsewhere [41]. In general, these TN approaches replace direct disclosure with sophisticated cryptography, usually coupled with special-purpose formats for credentials. These approaches are very interesting in their own right; due to space limitations, we refer the reader to the publications listed above for more information.
In some instances, less expensive forms of protection can be effective against leakage. One approach is that when Bob queries Alice about a sensitive attribute, she does not respond, whether she has that attribute or not[57]. Only after Bob satisfies the conditions to allow disclosure does Alice would disclose the credential or disclose the fact that she does not possess it.This approach is also effective if non-possession is sensitive. However, it relies on the willingness of individuals to behave in the same manner whether or not they possess the sensitive attribute—and for those who do not possess it, there may be little incentive to behave in this manner, as the negotiation will progress faster if they immediately confess that they do not have the attribute.
Another solution with moderate runtime costs involves the use of acknowledgement policies [63]. In this scheme, Alice has an acknowledgement policy (ack-policy) for each possible sensitive credential, regardless of whether she has that credential or not. She only discloses whether she has the credential after the ack-policy has been satisfied. This approach also relies on the willingness of people who do not possess a sensitive attribute to act as though they did, even though it will prolong negotiations. The other disadvantage of this approach is that users will have many more policies, and policy specification and maintenance is a huge practical challenge.
Another way to address the problem is to abstract away from requesting specific credentials, and instead request a particular attribute [59]. For example, one can request age instead of a driver’s license. With the help of an ontology of concepts and credential contents, a party can choose which credential to disclose to prove possession of the desired attribute, in such a manner that as little sensitive information as possible is disclosed in the process. For example, Alice might choose to prove her age by disclosing her passport rather than her driver’s license, as the latter includes her home address and other sensitive information not present in a passport. The ontology can also be used to help respond to requests for a particular attribute by disclosing either more specific or more general information than was requested. For example, if asked to prove North American residency, a party might instead prove that they live in Mexico.
In all approaches where parties directly disclose credentials to one another, a credential owner has no guarantee that the other party will not show her disclosed credentials and policies to additional parties. In other words, there is no guarantee, or even any suggestion, that others will respect her disclosure policies. PeerAccess [66] addresses this problem by requiring recipients of information to ensure that future recipients of that information also satisfy the original owner’s disclosure policies; however, a malicious party could simply ignore this requirement. Another low-cost option is to employ P3P during trust negotiation, as proposed for the privacy-preserving version of the Trust-χ framework for TN [60]. Under this approach, information owners can examine the P3P policies of their negotiation partners, before disclosing any credentials or policies. Of course, a malicious party might not abide by their own P3P policy. In addition, when a credential is forwarded to a third party, the original owner does not have the opportunity to inspect the P3P policy of that party and approve the transfer. If these are significant concerns, then a more expensive TN approach that does not directly disclose credentials or policies is always an option.